Comparing Hospitals' CISO Strategies
Resources dictate size of security team Whether a hospital has a chief information security officer is dependent, in large part, on the size of the facility.For example, while many academic medical centers have a CISO and a team of security experts, many community hospitals, faced with budget constraints, do not. Instead, the CIO and members of his team often share responsibility for security matters.
A recent survey found that only about half of hospitals have a CISO.
"The responsibilities of what you would typically see in a chief security officer are spread among quite a few folks here, and it has worked really well for us," says Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind.
"Ultimately I am responsible, as CIO, for making sure that security gets done. But my manager of technical services has a piece of security, and I've got a few other folks that have pieces. We work really well together to make sure everything is covered."
Justifying the expense
The 247-bed community hospital would find it difficult to justify the expense of a full-time CISO, Christian says. "It's a matter of resources and resource utilization. We have done a really good job with securing the perimeter. So when you make it look really easy, then it is hard to justify that position. "It's kind of like if you have a car that is working pretty well, you don't really want to go get another one until the old one is not working any more."
Good Samaritan occasionally hires outside consultants to lend a hand with security issues. But Christian longs for the day when he has a full-time CISO.
"If we had somebody who was doing security full-time, then there is a whole litany of other things that they could do and another level of security that they could take you to."
In the meantime, Good Samaritan and other hospitals lacking CISOs are scrambling to implement plans to comply with the data security provisions of the HITECH Act.
The position evolves
Some midsize hospitals, however, have had a CISO in place for a number of years and are now adding more responsibilities to the position in light of new regulations and other factors.
For example, Christopher Paidhrin has served as the equivalent of CISO at Southwest Washington Medical Center in Vancouver, Wash., for 10 years. The hospital, which has more than 400 beds, originally ramped up its data security efforts in the wake of the enactment of the HIPAA security and privacy rules, he recalls.
Although he does not have a full-time data security team, Paidhrin can call on the expertise of many members of the hospital's IT staff as needed. He co-chairs an information security council and serves on a "continuous regulatory compliance" committee that addresses security and other issues.
In recent months, Paidhrin says his role has "matured" to include new responsibilities. Those include providing data security advice to physicians in the community and building awareness of privacy and security throughout all service areas within the hospital.
Academic approach
In recent years, many of the nation's largest academic medical centers, which have huge IT staffs, have built data security teams headed by a CISO.
Johns Hopkins Medicine, a massive academic medical center that includes four hospitals and numerous other facilities, has had a full-time CISO for almost five years. A team of about six security experts supports a long list of ongoing projects, says Stephanie Reel, vice president of information services.
"The CISO not only has solid-line reporting responsibility for the people who report directly to him, but a matrix reporting relationship with the other people who have responsibility for security within the other teams of our IT organization," Reel says.
Johns Hopkins Medicine's central IT office has a staff of about 250. The broader Johns Hopkins University has about 750 IT staffers, all of whom report to Reel, who is also the university's vice provost for IT.
The academic medical center also has a privacy officer who reports to a general counsel's office. "We felt that it was best to have someone looking out for the welfare of our patients from a privacy point of view and not strictly focus on information technology," Reel says. "And, in fact, the CISO has a joint reporting relationship both to me and to our general counsel."
Legal department's role
In contrast, Shriners Hospitals for Children does not have a full-time CISO even though it has 22 hospitals spread across North America, explains William Bria, M.D., chief medical informatics officer. Instead, the organization's CIO "is effectively the CISO," Bria says. That fits well the CIO's ongoing efforts to lead a massive electronic health records rollout at all the facilities.
In addition Bria, who, as CMIO, represents physicians' interests in all IT projects, works with a variety of staff members involved in security issues.
"Our legal department has, from the very beginning, been our close partner with regards to compliance, security standards and ensuring information is accessed only by those who need to know that information," Bria says.
"Privacy and security of clinical information is an inextricable partner with improvement in the quality and safety of care," the physician stresses. And doctors will support using security technology if they're aware of that link, he argues.
"If a security technology makes sense from the standpoint of protecting the relationship between the clinician and the patient or protecting the patient's safety, then physicians will get behind that technology, even if it provides them some degree of inconvenience," Bria says. "If, on the other hand, they perceive a security technology as somehow compromising their ability to communicate with patients, they will strongly oppose it."